def __init__(self): # Get the version information on every output from the beginning # Exceptionally useful for debugging/telling people what's going on #sys.stderr.write("Volatile Systems Volatility Framework {0}\n".format(constants.VERSION)) #sys.stderr.flush() self.config.add_option("INFO", default = None, action = "store_true", cache_invalidator = False, help = "Print information about all registered objects") # Setup the debugging format debug.setup() # Load up modules in case they set config options registry.PluginImporter() ## Register all register_options for the various classes registry.register_global_options(self.config, addrspace.BaseAddressSpace) registry.register_global_options(self.config, commands.Command) # Reset the logging level now we know whether debug is set or not debug.setup(self.config.DEBUG) #pdb.set_trace() ## Try to find the first thing that looks like a module name self.cmds = registry.get_plugin_classes(commands.Command, lower = True)
def main(): if len(sys.argv) != 4: print "Usage: %s %s %s %s" % (sys.argv[0], "profile", "memdump", "targetprocname") sys.exit(1) registry.PluginImporter() config = conf.ConfObject() registry.register_global_options(config, commands.Command) registry.register_global_options(config, addrspace.BaseAddressSpace) config.parse_options() config.PROFILE = sys.argv[1] config.LOCATION = sys.argv[2] processes = taskmods.PSList(config) target = filter_by_name(processes, sys.argv[3]) # .text info imagebase, va, rawsize = get_text_section_info(target) if imagebase == None: print "[-] Error: probably wrong .text section name" sys.exit(1) text_start = imagebase + va text_end = imagebase + va + rawsize permissions = get_vad_protect_flags(target, text_start, text_end) print "0x%x-0x%x %s %s" % (text_start, text_end, permissions, TEXT_TAG) # dll info modules = get_dll_info(target) # printing dll info for name, info in modules.items(): dll_start = info[0] dll_end = info[0] + info[1] permissions = get_vad_protect_flags(target, dll_start, dll_end) print "0x%x-0x%x %s %s" % (dll_start, dll_end, permissions, name) # heap info hs = get_heap_info(target) # printing heap info for h in hs: heap_start = h.BaseAddress.v() heap_end = h.LastValidEntry.v() permissions = get_vad_protect_flags(target, heap_start, heap_end) print "0x%x-0x%x %s %s" % (h.BaseAddress, h.LastValidEntry, permissions, HEAP_TAG) # stack info tebs = get_stack_info(target) # printing stack info for t in tebs: stack_start = t.NtTib.StackBase.v() stack_end = t.NtTib.StackLimit.v() permissions = get_vad_protect_flags(target, stack_start, stack_end) print "0x%x-0x%x %s %s" % (stack_start, stack_end, permissions, STACK_TAG)
def init_volatility(): import volatility.conf as volconf import volatility.registry as registry import volatility.commands as commands import volatility.addrspace as addrspace if hasattr(volconf, "PyREBoxVolatility"): registry.PluginImporter() vol_config = volconf.ConfObject() registry.register_global_options(vol_config, commands.Command) registry.register_global_options(vol_config, addrspace.BaseAddressSpace) vol_config.PROFILE = conf_m.vol_profile # Set global volatility configuration conf_m.vol_conf = vol_config return True else: pp_error( """The imported volatility version is not appropriate for PyREBox: * Your local volatility installation may be in conflict with PyREBox's volatility installation... ... set up a virtual env to avoid the conflict (see installation instructions). * You have a virtual env for PyREBox's python dependencies, and you forgot to activate it! ... you know what to do!\n""") return False
def main(argv=None): setupLogging("admemanalysis.log", logging.INFO) registry.PluginImporter() config = conf.ConfObject() config.add_option('OUTPUT-PATH', default=None, help='Where to create output files', action='store', type='str') config.process_id = None registry.register_global_options(config, commands.Command) registry.register_global_options(config, addrspace.BaseAddressSpace) if not os.path.isfile("inputdata.json"): raise NameError("Input file(inpudata.json) was not found") data = None with open("inputdata.json") as data_file: data = json.load(data_file) operations = data['operationdata'] sys.argv.append("-f") sys.argv.append(data["filestreamtoanalyze"]) sys.argv.append("--profile") profile = data["profiletypename"] or ProfileGeneratorClass().GetProfile() logging.info('profile detected is {0}'.format(profile)) sys.argv.append(profile) output_path = data.get('outputpath') or '' config.parse_options(False) sys.argv.append("--output-path") sys.argv.append(output_path) config.parse_options() if utils.getConfigValue(operations, 'process') == True: adprocessesfactory.ADProcesses().execute(operations, config) if utils.getConfigValue(operations, 'drivers') == True: addriveranddevicefactory.DriverDeviceScan().execute(config) if utils.getConfigValue(operations, 'modules') == True: adkernelmodulesfactory.ADKernelModules().execute(config) if utils.getConfigValue(operations, 'sdts') == True: adsdtfactory.ADSdtGenerator().execute(config) if utils.getConfigValue(operations, 'yarascan') == True: adyarascanfactory.ADYaraScan().execute("", config) if utils.getConfigValue(operations, 'idt') == True: processors = kpcr.doProcessors(config) f = open(config.OUTPUT_PATH + 'processors.xml', 'w') #f.write(processors.SerializeToString()) f.write(proto2xml(processors, indent=0)) if utils.getConfigValue(operations, 'registry') == True: adregistryfactory.ADRegistryExtractor().execute(config)
def vol_profiles(self): # Load available volatility profiles prof = obj.Profile registry.PluginImporter() profList = sorted( [i.__name__.split('.')[-1] for i in prof.__subclasses__()]) return profList
def __init__(self, memdump, osprofile=None): """@param memdump: the memdump file path @param osprofile: the profile (OS type) """ registry.PluginImporter() self.memdump = memdump self.osprofile = osprofile self.config = None self.__config()
def __init__(self, dump, apps, syst, out_dir="files", plugins_dir=None, from_cache=True): """ Determines the profile, retrieves the list of processes and creates the list of application dumpers. :param dump: Volatility memory dump filename :param apps: list of the application dumper classes to be handled :param syst: list of the system dumper classes to be handled :param out_dir: output directory for retrieved resources :param plugins_dir: Volatility custom plugins directory :param from_cache: boolean indicating if the profile must be retrieved from a cache file in /tmp or found by Volatility """ short = dump dump = abspath(dump) assert isfile(dump), "{} is not a dump file".format(dump) assert all(x in APPDUMPERS for x in apps), "Unknown application dumper(s)" assert all(x in SYSDUMPERS for x in syst), "Unknown system dumper(s)" assert plugins_dir is None or isdir(plugins_dir), "Bad plugins dir" assert isinstance(from_cache, bool) self._artifacts = [] self._cache = {} self._selected_apps = apps self._selected_syst = syst if len(self._selected_apps) == 0 and len(self._selected_syst) == 0: logger.warning("No dumper selected") sys.exit(0) logger.debug("Setting output directory to '{}'...".format(out_dir)) self.out_dir = abspath(out_dir) if not exists(self.out_dir): os.makedirs(self.out_dir) self._cachefile = join(self.out_dir, ".cache") # initialize dump opening registry.PluginImporter() self.__is_profile_tested = False self.config = conf.ConfObject() if plugins_dir is not None: plugins_dir = expanduser(plugins_dir) logger.debug( "Setting plugins directory to '{}'...".format(plugins_dir)) self.config.plugins = abspath(plugins_dir) for cls in [commands.Command, addrspace.BaseAddressSpace]: registry.register_global_options(self.config, cls) self.__commands = {k.lower(): v for k, v in \ registry.get_plugin_classes(commands.Command).items()} self.config.LOCATION = "file://{}".format(dump) # get the right dump profile and test it while getting processes logger.info("Opening dump file '{}'...".format(short)) self.__is_profile_tested = self.__get_profile(from_cache)
def __init__(self, profile, mem_path): # Setup Vol Debugger debug.setup() registry.PluginImporter() self.memdump = mem_path self.osprofile = profile self.config = None self.addr_space = None self.init_config()
def main(): # Get the version information on every output from the beginning # Exceptionally useful for debugging/telling people what's going on sys.stderr.write( "Volatility Foundation Volatility Framework {0}\n".format( constants.VERSION ) ) sys.stderr.flush() # Setup the debugging format debug.setup() # Load up modules in case they set config options registry.PluginImporter() ## Register all register_options for the various classes registry.register_global_options(config, addrspace.BaseAddressSpace) registry.register_global_options(config, commands.Command) if config.INFO: print_info() sys.exit(0) ## Parse all the options now config.parse_options(False) # Reset the logging level now we know whether debug is set or not debug.setup(config.DEBUG) module = None ## Try to find the first thing that looks like a module name cmds = registry.get_plugin_classes(commands.Command, lower=True) for m in config.args: if m in list(cmds.keys()): module = m break if not module: config.parse_options() debug.error("You must specify something to do (try -h)") try: if module in list(cmds.keys()): command = cmds[module](config) ## Register the help cb from the command itself config.set_help_hook(obj.Curry(command_help, command)) config.parse_options() if not config.LOCATION: debug.error("Please specify a location (-l) or filename (-f)") command.execute() except exceptions.VolatilityException as e: print(e)
def vol_profiles(self): ''' Load available Volatility profiles @return: the list of loaded Volatility profiles ''' prof = obj.Profile registry.PluginImporter() profList = sorted( [i.__name__.split('.')[-1] for i in prof.__subclasses__()]) return profList
def __init__(self, memdump, osprofile): """@param memdump: the memdump file path @param osprofile: the profile (OS type) """ registry.PluginImporter() self.memdump = memdump self.osprofile = osprofile self.config = None self.addr_space = None self.profiles = registry.get_plugin_classes(obj.Profile).keys() self.init_config()
def __init__(self, path, profile='WinXPSP2x86'): self.config = conf.ConfObject() registry.PluginImporter() registry.register_global_options(self.config, commands.Command) registry.register_global_options(self.config, addrspace.BaseAddressSpace) # self.config.parse_options() self.config.PROFILE = profile self.config.LOCATION = "file://" + path self.Memory = utils.load_as(self.config) self.Processes = self.__getProcesses() self.Threads = self.__getThreads()
def init_volatility(conf): import volatility.conf as volconf import volatility.registry as registry import volatility.commands as commands import volatility.addrspace as addrspace registry.PluginImporter() vol_config = volconf.ConfObject() registry.register_global_options(vol_config, commands.Command) registry.register_global_options(vol_config, addrspace.BaseAddressSpace) vol_config.PROFILE = conf.vol_profile # Set global volatility configuration conf_m.vol_conf = vol_config
def __init__(self, profile, mem_path): """ setup base config :param profile: :param mem_path: :return: """ debug.setup() registry.PluginImporter() self.memdump = mem_path self.osprofile = profile self.config = None self.addr_space = None self.init_config()
def main(): parser = argparse.ArgumentParser(description = "Hashed password grabber") parser.add_argument("-mf",action="store",dest="file",help="memory file(.vmem)") parser.add_argument("-p",action="store",dest="path",type=int,help="path to volatility") results = parser.parse_args() if results.file is None or results.path is None: parser.print_help() exit(0) memory_file = results.file #.vmem sys.path.append(results.path) registry.PluginImporter() config = conf.ConfObject() config.parse_options() config.PROFILE = "WinXPSP2x86" config.LOCATION = "file://{0}".format(memory_file) registry.register_global_options(config,commands.Command) registry.register_global_options(config,addrspace.BaseAddressSpace) registry = RegistryApi(config) registry.populate_offsets() sam_offset = None sys_offset = None for offset in registry.all_offsets: if registry.all_offsets[offset].endswith("\\SAM"): sam_offset = offset print("[*]SAM: 0x%08x".format(offset)) if registry.all_offsets[offset].endswith("\\system"): sys_offset = offset print("[*]System: 0x%08x".format(offset)) if sam_offset is not None and sys_offset is not None: config.sys_offset = sys_offset config.sam_offset = sam_offset hashdump = HashDump(config) for hash in hashdump.calculate(): print(hash) break if sam_offset is None or sys_offset is None: print("[*]Failed to find the system or SAM offset.")
def run_plugin_process(name, queue, config, cmds): registry.PluginImporter() registry.register_global_options(config, addrspace.BaseAddressSpace) registry.register_global_options(config, commands.Command) config.parse_options() command = cmds[name](config) print 'running: ' + name try: calc = command.calculate() command.render_sqlite(config.OUTPUT_FILE, calc) except Exception as err: print name + ': ' + err.message finally: queue.put(name) return
def get_address_space(service_path, profile, yara_path): log.info("Obtaining address space and generating config for volatility") registry.PluginImporter() config = conf.ConfObject() registry.register_global_options(config, commands.Command) registry.register_global_options(config, addrspace.BaseAddressSpace) config.parse_options() config.PROFILE = profile config.LOCATION = service_path config.YARA_FILE = yara_path return utils.load_as(config)
def __init__(self, image_path): """ Create a new Analyzer, with a given image_path """ registry.PluginImporter() self.config = conf.ConfObject() registry.register_global_options(self.config, commands.Command) registry.register_global_options(self.config, addrspace.BaseAddressSpace) # self.config.PROFILE = "WinXPSP3x86" self.config.LOCATION = image_path self.config.parse_options()
def __init__(self, profile, kdbg, memimg): ''' @profile: a Volatality profile string @kdbg: a kdbg address string @memimg: a memory image file name ''' # volatility black magic registry.PluginImporter() self.config = conf.ConfObject() self.config.optparser.set_conflict_handler(handler="resolve") registry.register_global_options(self.config, commands.Command) if memimg: self.base_conf = { 'profile': profile, 'use_old_as': None, 'kdbg': None if kdbg is None else int(kdbg, 16), 'help': False, 'kpcr': None, 'tz': None, 'pid': None, 'output_file': None, 'physical_offset': None, 'conf_file': None, 'dtb': None, 'output': None, 'info': None, 'location': "file://" + memimg, 'plugins': None, 'debug': None, 'cache_dtb': True, 'filename': None, 'cache_directory': None, 'verbose': None, 'write': False } # set the default config for k, v in self.base_conf.items(): self.config.update(k, v) if profile == None: profile = self.guess_profile(memimg) sys.stderr.write("Using profile: %s\n" % profile)
def init_config(): sys.path.append("/usr/src/volatility") origargv = sys.argv sys.argv = [sys.argv[0], "-f", "/mnt/mem", "--profile", "LinuxDebian8x64"] config = conf.ConfObject() registry.PluginImporter() registry.register_global_options(config, addrspace.BaseAddressSpace) # Initialize address space (same as a=addrspace() in linux_volshell) global a a = utils.load_as(config) global p p = a.profile print("in init.. p = ", p) # Lookup kernel symbol pointing to first module global init_task_addr i = p.get_symbol("init_task") init = obj.Object("task_struct", vm=a, offset=i)
def run_plugin_process(name, queue, config, cmds): registry.PluginImporter() registry.register_global_options(config, addrspace.BaseAddressSpace) registry.register_global_options(config, commands.Command) config.parse_options() command = cmds[name](config) print 'running: ' + name errstr = '' try: calc = command.calculate() command.render_sqlite(config.OUTPUT_FILE, calc) #AddColumn(config.OUTPUT_FILE, name, 'profile', config.PROFILE) except Exception as err: print name + ': ' + err.message errstr = err.message finally: result = {name:errstr} queue.put(result) #queue.put(name) return
def __init__(self, queueObj): self.config = conf.ConfObject() self.path = queueObj.filename self.profile = queueObj.profile registry.PluginImporter() registry.register_global_options(self.config, commands.Command) registry.register_global_options(self.config, addrspace.BaseAddressSpace) self.config.parse_options(False) profs = registry.get_plugin_classes(obj.Profile) if self.profile != "Use Imageinfo": self.config.PROFILE = self.profile self.config.LOCATION = 'file://' + self.path self.config.OUTPUT = 'sqlite' self.config.OUTPUT_FILE = queueObj.output_path self.config.parse_options(False) self.config.YARA_FILE = queueObj.yara_rule self.config.DUMP_DIR = queueObj.dump_dir self.config.PID = queueObj.pid
def _init_volatility(self): #import sys # for mod in sys.modules.keys(): # if 'parse' in mod: # del sys.modules[mod] # print "deleted",mod #import sys # if len(sys.argv) > 3: # #sys.args=[sys.args[3]] # sys.argv=[sys.argv[0],'-f',sys.argv[3]] # print 'after modif',sys.argv import volatility.conf as conf import volatility.registry as registry registry.PluginImporter() config = conf.ConfObject() import volatility.commands as commands import volatility.addrspace as addrspace import volatility.utils as volutils registry.register_global_options(config, commands.Command) registry.register_global_options(config, addrspace.BaseAddressSpace) # Dying because it cannot parse argv options # apparently, it was not required to parse options. hey. # config.parse_options() #addr_space = volutils.load_as(config,astype = 'any') #print config.PROFILE #import code #code.interact(local=locals()) config.PROFILE = self.profile #_target_platform.LOCATION = "file:///media/memory/private/image.dmp" config.LOCATION = "file://%s" % self.imgname config.PID = str(self.pid) self.config = config import volatility.plugins.vadinfo as vadinfo command = vadinfo.VADWalk(config) command.render_text = partial(my_render_text, self, command) command.execute()
def _init_volatility(self): #import sys # for mod in sys.modules.keys(): # if 'parse' in mod: # del sys.modules[mod] # print "deleted",mod #import sys # if len(sys.argv) > 3: # #sys.args=[sys.args[3]] # sys.argv=[sys.argv[0],'-f',sys.argv[3]] # print 'after modif',sys.argv import volatility.conf as conf import volatility.registry as registry registry.PluginImporter() config = conf.ConfObject() import volatility.commands as commands import volatility.addrspace as addrspace registry.register_global_options(config, commands.Command) registry.register_global_options(config, addrspace.BaseAddressSpace) config.parse_options() config.PROFILE = self.profile #_target_platform.LOCATION = "file:///media/memory/private/image.dmp" config.LOCATION = "file://%s" % self.imgname config.PID = str(self.pid) self.config = config import volatility.plugins.vadinfo as vadinfo #import code #print _target_platform.__dict__ # code.interact(local=locals()) command = vadinfo.VADWalk(config) command.render_text = partial(my_render_text, self, command) command.execute()
import sys import struct memory_file = "WinXPSP2.vmem" sys.path.append("/Downloads/volatility-2.3.1") import volatility.conf as conf import volatility.registry as registry registry.PluginImporter() config = conf.ConfObject() import volatility.commands as commands import volatility.addrspace as addrspace config.parse_options() config.PROFILE = "WinXPSP2x86" config.LOCATION = "file://%s" % memory_file registry.register_global_options(config, commands.Command) registry.register_global_options(config, addrspace.BaseAddressSpace) from volatility.plugins.registry.registryapi import RegistryApi from volatility.plugins.registry.lsadump import HashDump registry = RegistryApi(config) registry.populate_offsets() sam_offset = None sys_offset = None
def __init__(self, data_buffer_in, data_condition_in, src, filepath, profile, memcache): Input.__init__(self, data_buffer_in, data_condition_in, src) self.name = 'Input Volatility' self.module_id = Module.INPUT_VOLATILITY self.machineguid = "" self.memcache = memcache if self.memcache: self.console_print("Memcache is:" + self.memcache) # WE CHECK IF THIS MEMORY HAS CACHE cache_process = self.memcache+"_"+"process" cache = False if os.path.exists(cache_process): with open (cache_process, 'r') as outfile: vprocess = json.load(outfile) cache = True outfile.close() cache_threads = self.memcache+"_"+"threads" if os.path.exists(cache_threads): with open (cache_threads, 'r') as outfile: vthreads = json.load(outfile) #cache = True outfile.close() cache_vads = self.memcache+"_"+"vads" if os.path.exists(cache_vads): with open (cache_vads, 'r') as outfile: vvads = json.load(outfile) #cache = True outfile.close() cache_tokens = self.memcache+"_"+"tokens" if os.path.exists(cache_tokens): with open (cache_tokens, 'r') as outfile: vtokens = json.load(outfile) #cache = True outfile.close() if cache: self.console_print("Using process cache file: "+cache_process) self.console_print("Using threads cache file: "+cache_threads) self.console_print("Using vads cache file: "+cache_vads) self.console_print("Using tokens cache file: "+cache_tokens) self.send_message(vprocess) self.send_message(vthreads) self.send_message(vvads) self.send_message(vtokens) self.terminate() sys.exit(0) else: self.console_print("Memcache is not found") sys.exit(0) self.console_print("Starting INPUT VOLATILITY analysis") # Relative Path filepath2 = "" if filepath.find(":\\") == -1: filepath2 = os.getcwd()+"\\"+filepath self.filepath = filepath2 filepath = "file:///" + filepath2 else: # Absolute path self.filepath = filepath filepath = "file:///" + filepath self._config = conf.ConfObject() self._config.PROFILE = profile self._config.LOCATION = filepath self._config.hive_offset = None self._config.HIVE_OFFSET = None registry.PluginImporter() registry.register_global_options(self._config, commands.Command) registry.register_global_options(self._config, addrspace.BaseAddressSpace)